2016-06-06 - EK DATA DUMP (NEUTRINO EK, RIG EK)

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2016-06-06-EK-data-dump-3-pcaps.zip   2.8 MB (2,819,120 bytes)

• 2016-06-06-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware-first-run.pcap   (1,271,688 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-ransomware-second-run.pcap   (1,469,813 bytes)
• 2016-06-06-Rig-EK.pcap   (431,364 bytes)

• 2016-06-06-EK-data-dump-malware-and-artifacts.zip   946.1 kB (946,112 bytes)

• 2016-06-06-page-from-garlocksafety_com-with-injected-pseudoDarkleech-script-first-run.txt   (15,049 bytes)
• 2016-06-06-page-from-garlocksafety_com-with-injected-pseudoDarkleech-script-second-run.txt   (17,535 bytes)
• 2016-06-06-pseudoDarkleech-CryptXXX-ransomware-decrypt-instructions.bmp   (3,686,454 bytes)
• 2016-06-06-pseudoDarkleech-CryptXXX-ransomware-decrypt-instructions.html   (14,190 bytes)
• 2016-06-06-pseudoDarkleech-CryptXXX-ransomware-decrypt-instructions.txt   (1,755 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-flash-exploit-first-run.swf   (89,256 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-flash-exploit-second-run.swf   (89,336 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-landing-page-first-run.txt   (770 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-landing-page-second-run.txt   (758 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-first-run.dll   (396,800 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-ransomware-second-run.dll   (662,528 bytes)
• 2016-06-06-Rig-EK-flash-exploit.swf   (15,493 bytes)
• 2016-06-06-Rig-EK-landing-page.txt   (5,188 bytes)
• 2016-06-06-Rig-EK-payload.exe   (311,296 bytes)

 

NOTES:

• This EK data dump has one Rig EK pcap and two Neutrino EK pcaps.
• In today's examples, the pseudoDarkleech campaign is using Neutrino EK (instead of Angler EK) to deliver CryptXXX ransomware.

SOME HISTORY ON PSEUDO-DARKLEECH AND CRYPTXXX:

• On 2016-03-22, PaloAlto Networks posted a blog that provides background on the pseudoDarkleech campaign (link).
• On 2016-04-16, Proofpoint reported the first sightings of CryptXXX ransomware (link).
• On 2016-04-23, I posted an ISC diary about pseudo-Darkleech causing Angler EK/Bedep/CryptXXX infections (link).
• On 2016-04-28, PaloAlto Networks reported another campaign called "Afraidgate" had switched from Locky ramsomware to delivering CryptXXX ransomware (link).
• On 2016-05-09, Proofpoint issued another report on CryptXXX, now at version 2.0 (link).
• On 2016-05-24, BleepingComputer reported CryptXXX was updated to version 3.0 (link) two days before I saw it on 2016-05-26 (link).
• On 2016-06-01, Due to the new decryption instructions, some organizations say version 3 of CryptXXX may actually be "UltraCrypter" (link) and (link).
• On 2016-06-03, Proofpoint published an update about CryptXXX, now at version 3.1 (link).

BACKGROUND ON TODAY'S RIG EK EXAMPLE:

• Today's Rig EK pcap (kicked off by pavtube[.]com) is from a campaign explained in two diaries at the Internet Storm Center (ISC) located here and here.

 

TRAFFIC

ASSOCIATED DOMAINS:

• www.pavtube[.]com - GET /public/temp/js/jquery.js - file with injected script
• 67.215.187[.]94 port 80 - a.topgunn[.]photography - GET /yjviewforumbgtnb.php - gate provides data to determine Rig EK landing page
• 5.200.55[.]117 port 80 - gr.toiletrolltalker[.]com - Rig EK

• 104.238.171[.]123 port 80 - uesrjjwbk.exiteam[.]top - Neutrino EK first run
• 45.32.183[.]118 port 80 - glsmafknv.5issuei[.]top - Neutrino EK second run
• 188.0.236[.]7 port 443 - CryptXXX ransomware post-infection traffic (custom encoded)

 

 

Click here to return to the main page.